diff --git a/README.md b/README.md index 5cc19bb..0f558e9 100644 --- a/README.md +++ b/README.md @@ -50,8 +50,10 @@ Usage of ./google_auth_proxy: -client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com" -client-secret="": the OAuth Client Secret -cookie-domain="": an optional cookie domain to force cookies to + -cookie-expire=168h: expire timeframe for cookie + -cookie-https-only=false: set HTTPS only cookie -cookie-secret="": the seed string for secure cookies - -google-apps-domain="": authenticate against the given google apps domain + -google-apps-domain=[]: authenticate against the given google apps domain (may be given multiple times) -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption -http-address="127.0.0.1:4180": : to listen on for HTTP clients -pass-basic-auth=true: pass HTTP Basic Auth information to upstream @@ -98,6 +100,7 @@ The command line to run `google_auth_proxy` would look like this: --google-apps-domain="yourcompany.com" \ --upstream=http://127.0.0.1:8080/ \ --cookie-secret=... \ + --cookie-secure=true \ --client-id=... \ --client-secret=... ``` @@ -108,9 +111,9 @@ The environment variables `google_auth_client_id`, `google_auth_secret` and `goo ## Endpoint Documentation -Google auth proxy responds directly to the following endpoints. All other endpoints will be authenticated. +Google Auth Proxy responds directly to the following endpoints. All other endpoints will be authenticated. * /ping - returns an 200 OK response * /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies) -* /oauth2/start - a URL that will redirect to start the oauth cycle -* /oauth2/callback - the URL used at the end of the oauth cycle +* /oauth2/start - a URL that will redirect to start the OAuth cycle +* /oauth2/callback - the URL used at the end of the OAuth cycle diff --git a/main.go b/main.go index c2ee189..73a84ac 100644 --- a/main.go +++ b/main.go @@ -9,6 +9,7 @@ import ( "net/url" "os" "strings" + "time" ) const VERSION = "0.1.0" @@ -23,6 +24,8 @@ var ( htpasswdFile = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption") cookieSecret = flag.String("cookie-secret", "", "the seed string for secure cookies") cookieDomain = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to") + cookieExpire = flag.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") + cookieHttpsOnly = flag.Bool("cookie-https-only", false, "set HTTPS only cookie") authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)") googleAppsDomains = StringArray{} upstreams = StringArray{} diff --git a/oauthproxy.go b/oauthproxy.go index e5f5019..859fdb2 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -189,9 +189,9 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st Value: signedCookieValue(p.CookieSeed, p.CookieKey, val), Path: "/", Domain: domain, - Expires: time.Now().Add(time.Duration(168) * time.Hour), // 7 days HttpOnly: true, - // Secure: req. ... ? set if X-Scheme: https ? + Secure: *cookieHttpsOnly, + Expires: time.Now().Add(*cookieExpire), } http.SetCookie(rw, cookie) }